Inside the insider threats

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so good morning everybody thanks for making it to our session here is morning you know cybersecurity departments usually have their roots in IT and like my department and it's not the same for my departments it's for all IT departments IT guys prefers to deal with the dead things right they try to do pen testing on internet-facing applications the Daeva service and so on and so forth what they usually do not try to do is they don't try to deal with people yeah however we know that nearly all of the cyber incidents have a human component as one of the key causes on a blurs for the cyber incident and sometimes even malicious insider and the insider topic is the topic of today's session I am so excited that we have one of the world's leading experts on the human component in cybersecurity here with us today she is co-founder of the consultancy red acted firm she is she is engaged by global banks she is engaged in the national defense organizations by governments she is frequently thought after by media we know her from BBC from Sky News and she recently has been elected by SC media UK as one of the top 20 women serve a security or Women of Influence in cyber security please ladies and gentlemen welcome me and join me in welcoming dr. Jessica Parker good morning everybody it's great to see you here thank you so much for joining the session on the insider threat which I'm going to talk about for the next hour or so before I get started it's my first time speaking in Toronto so I wanted to take just a couple of minutes to introduce myself beyond what Mark has said so you can find out a little bit more about who this person in front of you is so I'm dr. Jessica Barker of course I am NOT this kind of doctor but this kind of doctor so I can't help when something like this happens because as you will appreciate my work is much more serious I work in cybersecurity but that doesn't mean that I am one of these or one of these in fact my background is in the human side of cyber security so I work on the sociology and the psychology and the communication side of cyber security very much interested in where people meet technology I have a background in consultancy and people would often say what do you know if they weren't a consultant themselves they would say what do you actually do as a consultant on a day to day basis and of course the answer is that I write the word success on transparent walls I'm really good at jigsaw puzzles and my expertise in particular is in high-fives and fist bumps I'm really good at high-fives and fist fist bumps you'll have to take my word for it but that means I get to do lots of stuff like this so I do lots of speaking engagements lots of talking about cybersecurity lots of awareness raising training and I also am in the media quite a lot as Mark mentioned usually talking about what the latest cyber attack or data breach means in real terms to the average person and what people can do to better defend themselves so you will appreciate that when I go on the news and I'm talking about the latest cyber attack that means you will often see me on there looking shocked you'll see me on there looking disappointed you might see me on there looking angry and on a really bad day you'll see me looking really really sad working in cyber security really does make you shocked angry disappointed and sad on a regular basis and so I let off steam by doing stuff like this and stuff like this this technology doing stuff like this and making stuff like this which is an alarm clock not a bomb and stuff like this jewelry making which is an excuse to use a hammer so that's me in a nutshell but I'm not talking about my hobbies today I'm talking about the insider threat and what that means to organizations and what we can do to better understand the psychology the sociology the fundamentals about humans in relation to the insider threat in terms of the insider threat I'm covering everything from the malicious insider the coerced insider which we seem to have seen a rise of accidental insider threat which is the largest in terms of volume of attacks or volume of incidents and then I'm going to end on what we can do to mitigate all forms of the threat from malicious through to accidental and I'm going to begin with malicious insider usually when you talk about the insider threat most people think of that in terms of the malicious side they think about employees who turn on their organization and we've certainly seen a number of these attacks in the media in the last couple of years but of course we know that the attacks that we hear about in the media are an absolutely tiny proportion of the malicious insider activity that actually takes place in organizations and this is largely because if a malicious insider is discovered in an organization that organization usually wants to keep that very quiet because of the impact it can have on people's trust in the organization and on reputation but we've seen a few cases and some interesting ones I just wanted to bring to your attention we have seen for example Gordon Ramsay everybody is familiar with Gordon Ramsay the celebrity chef a very interesting case and for him personally when his father-in-law was jailed quite recently for coercing his two sons or working with his two sons who also worked in in Gordon Ramsay's business to hack the computer systems and to hack Gordon Ramsay's emails so Gordon Ramsay's father-in-law had worked with him for 12 years he was the CEO of Gordon Ramsay holdings Gordon Ramsay fired him and this prompted the father-in-law to set about hacking the computers getting secret information and leaking that information to the press so some of the information made its way into an English tabloid it was discovered and the father-in-law was sent to prison so we can see already an interesting case there of somebody who feels disgruntled somebody who has been fired he feels hard done by and we'll return to that theme in a moment the Morrison's example Morrison's the supermarket in the UK if you're not familiar with them and in 2014 somebody called Andrew Skelton who worked there as an auditor he stole the payroll and personal information of 100,000 employees in Morrison's and he leaked that onto the internet and again he sent it to newspapers he did that it emerged in the trial he did that because he had been reprimanded allegedly for trying to sell drugs as in in his job in his role and so again he had that feeling of being disgruntled of having been punished and he was found out he was discovered sent to prison what's very interesting about that case is that the employees have banded together and they are pursuing the first clash class-action lawsuit regarding data leakage against Morrison's so it's an ongoing case we'll have to see where that goes but it could lead to being very costly and then we have the TalkTalk example and this is not related to the TalkTalk hack that happened a couple of years ago around the same time what happened is that TalkTalk outsource their customer service or part of their customer service to India to people that worked for them stole a database of 21,000 customers information and they set up essentially a scam business they had an office they had employees some of those employees thought they were working for TalkTalk legitimately and the whole operation was set up to scam the 21,000 people in that database and there's a really interesting article which outlines exactly what happened by Jeff white an investigative journalist so these are just a few of the insider malicious activities and attacks that we've seen in the last few years but how can we understand these activities particularly if you have an individual who has been loyal to their organization who may have worked there for many years how can you understand them apparently suddenly turning on the organization they've seemed so loyal to in the past and we can look to some models of psychology and insider activity related to fraud in particular so we have the classic fraud triangle at the top and then the fraud triangle in the last decade or so was expanded into what's known as crows Pentagon and if you saw my interview on cyber TV I referred to it there and crows Pentagon really explains how you can have somebody who seems very loyal who has been a committed employee and then has turned to a malicious insider and what you will see in those cases as we saw in the examples that I went through is there will be the existence of opportunity so of course somebody needs access to the information very clear in the auditor's case with Morrison's as an auditor that individual would have access to a lot of information there is pressure and often this can be pressure that's external to the organization this can be pressure at home for example a partner who's made redundant debts may be due to gambling or may be due to sending your kids to school or whatever it may be but something that is putting pressure on the individual and then absolutely crucial and really fascinating is the rationalization the justification where an individual will feel like they are doing what is deserved they're not doing anything wrong they're certainly not doing anything criminal in their eyes in fact in their eyes they are the victim and what they are doing is just taking what they're deserved or they are enacting revenge on an organization that hasn't treated them well but certainly they will rationalize the activity in their head where they would never conceive of themselves as being a criminal or in the wrong and then what we have added to those classic three parts of the of the triangle is arrogance and competence and these are vital in a modern organization where there is so much monitoring of individuals and where people know that a workplace can monitor everything you do really when it comes to technology so somebody must have a level of competence and a level of arrogance to think that they can carry out such a malicious insider attack and get away with him if we expand on that a little bit more then there's a really interesting really helpful framework that was developed by a group of academics and you can see the reference to the paper there if you want to have a look in more detail it's a really interesting paper that tries to put a greater grounding and level of understanding behind what we know to be factors in the insider threat and this is looking at both malicious and non malicious threats and what the paper discusses it's based on an analysis of 80 insider incidents in organizations and it discusses everything from the catalyst the thing that will prompt the person to actually carry out the attack so this might be being demoted not being promoted not getting a raise or it might be a perceived catalyst so it might be a rumor that somebody isn't going to get a raise or a rumor that bonuses aren't going to go through or a rumor that out someone else is going to be promoted above the individual so rumors and perception is absolutely as important as fact and truth in terms of the catalyst we then have an exploration of actor characteristics and this is where it gets really interesting in terms of an individual's personality and personality we can understand in terms of both fixed characteristics and in terms of ones that are the result of life experience so it might be the the reaction to stress for example or it might be somebody who has what's known as elements of the dark tree ad so this is Machiavelli is that machiavellianism or narcissism for example and we will see that kind of narcissism Machiavellianism or psych psychopathy existent in people who are malicious insiders but just because somebody has those characteristics doesn't mean that they will be a malicious insider it's very much the relationship between their personality and the catalyst and then we see all sorts of other things around their personality traits you know how they behave whether they are good at integrating whether the extroverted or introverted historical behavior which again may not be a crucial indicator if you've had somebody that's carried out some kind of fraudulent activity in the past then that may imply that they will be more likely to carry out some fraudulent activity in future but just because somebody hasn't carried out any fraudulent activity doesn't mean they never will the examples that I gave before for example the Morrison's example that individual had never carried out any kind of malicious activity as far as we're aware in an organization before but because of his characteristics and because of the catalyst that he experienced there having been punished for something else that's what led to his insider activity and there's many other factors why they're motivated to attack the skill sets that they have do they have the opportunity all of these characteristics coming together now it's interesting from an organizational point of view is that there is a clear opportunity between psychological state and motivation to attack to have an intervention so if you know your workforce well and if you can observe what's happening what the context is what morale is like in general whether this individual has experienced any kind of catalyst or may perceive a catalyst coming and if you can see them behaving in a way that is outside of the norm for them then that's a good opportunity to intervene to try and tackle the issue to try and laid bare lay bare any issues or disgruntlement that they feel and try to offset the potential for them to carry out an attack or any kind of malicious activity so it's a really interesting paper that outlines in depth what happens to create or to lay the circumstances for malicious or non malicious insider activity and the paper is set up really for people to understand why attacks take place and to take a retrospective look at attacks but what I found it interesting for is in terms of tabletop exercises so one thing we know from research from talking to organizations is that when organizations are planning out their incident response if they're doing like a tabletop exercise to plan how you would react to an in and often organizations overlook insider attacks particularly malicious insider activity and so I find this paper really useful to model out a kind of scenario of an attack and then to plan a incident response activity around it so really good opportunity for tabletop training moving on from the malicious insider we have the coerced insider and we don't tend to hear so much about this but there have been a few examples and we've heard a few news stories and we've actually seen some malware around this as well so in 2016 a researcher discovered on the dark web Delilah and Delilah is the first extortion Trojan designed really to collect personal sensitive information about an individual from their machine and then use that to extort the individual to be an insider in their organization so targeted at people in executive roles people in financial positions people who have access to a lot of information sensitive information and it would collect all sorts of information but including turning on the webcam and it was particularly prevalent in gaming websites and in adult websites so we can see what Delilah is aiming to achieve or what the criminals are aiming to achieve through and the Delilah Trojan we've also heard in the last couple of years of course we had Ashley Madison and what we saw with some cyber criminals is them looking through the Ashley Madison database for company email addresses people who had signed up to Ashley Madison using their company email address I don't find that individual for example through LinkedIn what position they were in and then again using that information to blackmail them we've seen a rise as well in sextortion attacks aimed executives is everybody familiar with what a sextortion attack is so a sextortion attack is carried out over social media you'll receive a friend request from somebody who you don't know but who looks attractive somebody who looks interesting to you and so you accept the friend request you engage in conversation with this individual you share messages you build up a rapport you discover that you have lots in common with this person this person is very interested in you in your life and they seem like a really nice person a very attractive person and then they might send you some explicit images or video footage apparently of themselves and they will ask for the same in return because you feel like you've developed a relationship with this person and because of the social norm of reciprocity if someone does something for us we feel obliged to do similar back individuals will then share explicit images of themselves they'll feel that they're sharing it with somebody they can trust as soon as they share that image or that video that webcam footage of themselves then they'll discover that of course the person they're speaking to is not whoever they thought they were but is usually an organized criminal gang using footage images that they've stolen from somewhere else on the internet and then coercing the individual in a traditional sextortion attack they would be trying to extort money from the individual and those attacks were really aimed at teenagers and a lot of teenage boys and have been targeted with those attacks but what we've seen in the last couple of years is an increase of those attacks aimed at in executives so aimed at people in organization with the idea with the motivation of extorting information out of that person of using their position in the company so these are the kind of coerced activities that we're seeing and we're also seeing some malicious insiders who are advertising on the dark web their position in an organization and saying I can access x y&z information who wants to buy the payroll of my organization from me or whatever it might be and then we have the far more prevalent issue which is non malicious insider activity so when we talk about malicious versus non malicious insider activity the way that it is split is really that the non malicious insider activity is far more common this is the kind of thing that is happening absolutely every day and this is well-meaning individuals either employees contracted trusted third parties people who have access to your information to your network and they're trying to do a good job but they make a mistake it may be because they didn't have the correct training it may be that they are operating at a level that is above their skill set it may be that they're just focused on the day job of course and not on security all sorts of different issues and we see non malicious activity ranging from the classic somebody sending out an email and patting everybody's email address into the to field and not into the BCC field so exposing email addresses people for example the lawyer who took client information home put it on to his home computer and then somebody else in his family accidentally uploaded it to the Internet and then of course we see the non malicious insider as people who might click on a spear phishing email link or download an attachment in a spear phishing email they might click on a link that is run somewhere and we've seen different statistics but somewhere between 76 and 95 percent of ransomware attacks coming in via email via phishing emails in the last couple of years the organizations that I work with their two biggest problems the two biggest issues they're trying to deal with from the human side of things are spear phishing emails particularly aimed at getting money from the organization so the kind of fake supplier CEO fraud style emails where they're asking somebody in finance to transfer into transfer money and it looks like it comes from the CEO all ransomware emails and these are the two biggest problems that organizations I work with are trying to deal with so when I say about CEO fraud and males this is the kind of thing that I'm talking about and this is an email that was received by a client of mine obviously I've taken out any of the identifiable information but I've kept the wording the same because it really demonstrates the triggers that are used and it really shows why spear phishing emails are successful and one reason why is of course it uses the individuals name it's directed at the individual and it will look like it comes from the CEO and in this example the email said from the CEO to the person in the finance department we're acquiring a new company and this is extremely confidential this is very sensitive if you tell anyone else this will have an impact potentially on the stock price I need you to transfer funds immediately so already we see a number of triggers a number of psychological triggers there of you know this is really sensitive between the lines it's saying you're the most important one I have trusted you and nobody else with it so it's flattering the ego you know this is extremely confidential in a spear phishing email there will always be this push or often be this push for the recipient not to tell anybody else because as soon as you say it out loud as soon as you check with somebody else it's more likely to be spotted someone is more likely to say that sounds a little bit odd so they will try and get the recipient to stay quiet and you must do this immediately so the time pressure so people aren't thinking clearly and it carries on you know really reinforcing and I know I can rely on you to do this so making the individual feel like the CEO is trusting them with something really important in this case the individual who received the email transferred the funds and as soon as they did so and I hear this all the time as soon as they transferred the funds they knew something was a bit odd or they thought they were worried that it might be a bit strange and I see this all the time people are manipulated by the email they don't think clearly they transfer the phony they transfer the money they click on the link and then the pressure is removed and then they see it more clearly but of course by that point in this case it was too late money had been transferred by the time anybody was alerted it was gone it could not be clawed back so we see many examples of spear phishing emails that draw on different psychological triggers so one of the most common when it comes to trying to get an insider to do something will be around curiosity and so we hear this in the cybus TV interview the person who interviewed me they sent out a phishing campaign to test employees and they used people's payroll or bonuses we also see the kind of classic drops USB stick in a car park in a company's reception and it will be labeled bonuses and salaries and this is curiosity at play this is people feeling like they just can't help but see what's on that USB stick if they're getting the same money as everybody else so with curiosity people feel this temptation to look this temptation to find out and the research actually suggests that 30 percent of people even when they're told that a link in an email is malicious will click on the link and they do so and I quote because they want to see what will happen and of course most of the time nothing happens as far as they can see they don't see what's happening behind the scenes so from my perspective where we've had success and redacted film is carrying out training that really harnesses that curiosity so when you do training don't just tell people what happens or tell people not to click on links but actually show them why so give them that explanation give them that demonstration of what happens when they click on a link show them both the attacker and the victim side so they can see that actually on the victim side nothing happens but on the attacker side this is what an attacker can achieve if you click on a link in a malicious email so there you're really using that curiosity for your good you're using that curiosity to help secure your organization because if you don't harness it then cyber criminals may attempt - I mentioned temptation before in its temptation of course there is at play in those kind of sextortion attacks that I was talking about making somebody feel that they can't resist accepting a friendship chatting to somebody online and of course with the rise in social media we have seen these kind of attacks come on much more and more and as I said they're being targeted at executives not just at younger people but most people feel like they would never fall for something like that most people feel like they are more savvy to this kind of thing and also people often feel with social media like what's the harm somebody wants to connect with me on LinkedIn or Facebook or wherever it might be what's the harm in me accepting that request and so you accept the request and then you receive a message and you think oh what's the harm in replying and what they do is they escalate every level when you're in this exchange with an individual like that they will escalate and push more and more tell you more about themselves and ask to hear more about you so really they are controlling the relationship in such a way that you will feel safe uncomfortable and if they were to send you a connection request straight away asking for explicit images of yourself then of course you wouldn't send them most people would never send them but they will lull you into a false sense of security and this is why I call it the cyber security siren song sadly also with insider activity with the accidental insider one of the key things that people will prey on with individuals is kindness and I alluded to it earlier with reciprocity but we see this kind of attack for example you get an email from somebody who says I am traveling abroad you know a friend I'm travelling abroad I've lost my passport I've lost my money I've had my wallet stolen can you please what why am i funds - you know and gives details for a wire transfer and our innate sense to help somebody because we have been brought up to help and to be helpful and to be kind we don't question the veracity of that email with kindness and with looking at organizations one of the key groups of people that I will want to engage with our receptionists and pas receptionists in particular they're kind of the frontline of a building of an organization and as a receptionist you are taught to always be kind always be deferential if it's somebody in authority then you absolutely must be kind and helpful and not challenged so this is an issue we have when it comes to security is often actually receptionists or the frontline of security as well but trying to enact security and trying to be kind of a buffer to prevent people come into the building is a challenge when also a receptionist role is to be kind and to be helpful so it's something that we have to try and deal with when it comes to training and authority authority is one of the biggest triggers used in these kind of spear phishing emails I worked with an organization or a group of organizations in Malaysia and an organisation there last year the IT team had received some boxes of new kit and that they had - they were told in a note they had to install on the network as new antivirus so they received these boxes of kits unannounced you know they weren't expecting it one day one morning and at their office there was a note on supposedly from the CEO saying I need you to install this on the network I need you to do it immediately of course they're not going to question what the CEO is asking them to do so they installed the kit and only months later is it discovered that of course that was not sent under the CEOs instruction it was malicious software that was sent by cyber criminals who had been on the network for months and taking funds out I can't remember how much they stole in the end but it was a great deal of money and this is one challenge we have in organizations is that again people are taught to do what somebody more senior to them says and we're taught not to question not to contradict and what our CEO for example is ordering us to do so if you work in a fine position and you receive the kind of email I showed you earlier from the CEO often the structures the power dynamics in an organization are set up in such a way that people feel like they can't question they can't pick up the phone and ring the CEO and say did you really send me that email so we're dealing there with notions of authority and power and power dynamics in society that become particularly fundamental in organizations when it comes to security and the reason that we still have a lot of these problems comes back to the fact that a lot of people in society and I'm referencing here Karl Popper and the philosopher who said that a lot of people in society like to think that it works that our relationships work that other people work that the whole setup of society works like a clock that we can understand it rationally but you can take it apart and put it back together and it all works in a very neat and ordered way and what Papa said is that actually when it comes to the mind we need to understand it much more like clouds and people don't work in a rational way people can justify the most terrible actions to themselves by saying that they were in a circumstance where they were forced to do it or they had been treated poorly people can be susceptible to social engineering because of typical psychological triggers that we've seen at play for hundreds of years but now we have the Internet the kind of pace and scale of social engineering attacks through emails through social media has really taken off so understanding the fact that people aren't the rational beings that we would want them to be but in fact they can sometimes behave in very irrational ways is absolutely crucial to cyber security and so as much as people are like clouds this doesn't mean we can't ever predict their behavior of course we're at a point if we continue with the analogy where weather forecasting is very good we can look at patterns of how clouds move and we can see and overall dynamic as to how clouds move and also how people behave so if we turn to behavioral economics we can see or we can understand that people aren't split into two camps so often in society we like to think that individuals are either rational or irrational and we like to think of ourselves usually as in the rational camp that we are sensible that if we got a spear phishing email if we were coerced into insider activity that we would spot that and we wouldn't go along with it but unfortunately we are all the same and all of us have two sides of our brains we have a rational side and we have a more irrational side we have dr. Spock are rational clear thinking side and we have Homer Simpson our impulsive emotionally driven side and what we have all day every day is these two sides of our brains battling it out for control over our behaviors and when we are triggered into a hot state then we're more likely to act like homer than like Spock what is a hot state a hot state is something like curiosity something like temptation it is stress it is feeling impinged by Authority it is feeling like somebody needs your help and all the research shows that when we are in this hot state we think more mindlessly so we don't think as clearly or as rationally as we would so this is why the spear phishing emails use the kind of triggers that I've been through and the example email showed I really need your help I rely on only you to do it the flattery the ego the time pressure the confidentiality they may even say something like we suspect that fraud is at play in your in your department but I know that it would never be you so I'm trusting you to help me with this so all these ways of getting somebody to be in a more emotional state and then if you can get somebody into that hot state you can get them to do something that they wouldn't normally do like transfer three quarters of a million pounds to a bank account that hasn't been verified when it comes to dealing with the insider threat what I have found is most important particularly when you're trying to raise awareness around spotting spear phishing emails social engineering attacks and one thing that I found absolutely crucial is around communication and how we communicate with people about the threat that is out there to try and illustrate the importance of communication I'm going to play a clip it is one sentence in in the English language but it's been transformed by a computer to sound like gibberish so I'm gonna play you the sentence I'd like you to listen very carefully and tell me if you can hear what the computer says could anybody hear what the computer said no guesses okay I'm gonna play it again have a have a really careful listen tell me if you can pick out just a word or two any takers I heard something there no no we didn't get any at all r2d2 it's usually what I hear it is white okay it's almost like I saw this coming because I'm gonna play you the translation I want you to listen to the translation then I'll play the original clip again and I want you to see if you can hear it the final time once you've heard the translation so that was the Constitution Center is at the next stop so I'm gonna play you the original one more time and I want you to see if you can hear the Constitution Center is at the next stop most maybe one or two didn't get it most got it got stopped got the final with it so the point of that is that your brain is always acquiring new information and to really understand new information coming in you have to have the building blocks of prior information so if somebody suddenly speaks to you in a new language you don't stand a chance of understanding it unless you've maybe learned other languages that are similar or unless you've already been learning some of the vocabulary and grammar and it's absolutely the same when it comes to communicating about cybersecurity in general and about the kind of threats that people need to be aware of we have to speak in the right language for people to understand otherwise they just hear gibberish so now moving on to sort of more of the mitigations and what we can actually do to better prepare ourselves better defend ourselves against the insider threat and we have some good news and some bad news here from sans most recent piece of research into insider activity and into whether organizations understand the insider threat sans asked a set of organizations then what do they consider most damaging to their organization if a threat is actually realized and the good news is that organizations are understanding more and more the importance of the internal threat and the fact that the internal threat actually is more likely to be damaging than the external threat because when somebody's inside your organization or when somebody when an attacker is let into your organization such as by a spear phishing email then they're able to carry out much greater malicious activity usually for much longer without being identified the bad news from the report is that organizations still think that the malicious insider is more of a problem than the non malicious insider whereas all of the research and all of my experience working with clients is that it is the unintentional insider that is the big problem and I know the malicious insider seems so much more dramatic organizations I think like to focus on the malicious insider activity because it seems much bigger it seems much more shadowy it seems much more damaging where is the unintentional insider is a bit more like death by a thousand cuts it is the constant drip of information it is the not as exciting issues around awareness raising behavioral change getting people to really understand the threats that are out there when organizations were asked about what items or what issues do they think we're affected by an incident or an attack we can see unsurprisingly that most of the organization's found compromised of privileged information for example credentials or of customer or client information as the biggest issue and of course this is completely understandable and I would totally agree with what is quite surprising when you look at this graph is that reputational damage is not higher because reputational damage from any kind of attack but particularly from an insider attack can be really damaging for organizations and some research suggests that between twenty to sixty percent of customers for example will remove themselves will stop using an organization a service provider when there has been an insider activity malicious activity so it's a quite surprising the organizations aren't putting reputational damage higher but if you're considering how to protect your organization from insider activity or if you're thinking of a program around this then I think looking at what threats you face and balancing up you know malicious insider non malicious insider external attacks and also what assets are most likely to be damaged that's absolutely the first step to take looking at your assets and looking at what what could cause you the most damage there is a fantastic research by and the UK Centre for the protection of national infrastructure and I'm not going to go into it in too much detail now because obviously there's a lot of information there but again if you're looking at how to manage the insider threat this is a fantastic resource kind of a road map of those activities that you could be undertaking and if you just search for CP ni managing insider risks you will find this downloadable roadmap it's also on the national cybersecurity Center website in the UK and it goes through all sorts of different things that you can do but it really at the heart of it has conducting a risk assessment that includes insider threat both malicious and non malicious and they go through knowing your assets identifying your own vulnerabilities your threats the impact that it would have and considering how you could be compromised the different avenues in and then from there now you can start to build up a program of mitigations so it's a really great resource that I would encourage you all to go and look at in your own time what I wanted to pull out and add to that is my thoughts on how we can coordinate a response and mitigations against the insider threat and these range from the technical through to the human a lot of people think specialising in the human side of cyber security they expect that the answer to human problems is with human solutions but I absolutely don't think this is the case there are things that are really important to do to help people understand cyber security having effective training is really important and the word effective there is crucial because so many organizations have training that doesn't work and they know it doesn't work and they put it out there just to take a box but if you're really serious about defending against the insider threat then absolutely effective training that is aimed behavioral change is fundamental to protecting against the insider threat people usually think of training as being about protecting against the non malicious the accidental insider and of course that's true but it also has the benefit of protecting against the non malicious insider because or against the malicious insider excuse me if we have a baseline of good behaviors and of good understanding around cybersecurity across the whole organiser then when you have somebody trying to carry out malicious activity it will be much harder for them for example to coerce somebody else into giving them their credentials and also their activity will be so much more identifiable when people see what good looks like across the whole and you get somebody trying to be bad it stands out so much more and people take it so much more seriously so effective training is really crucial for both the malicious and the non malicious mitigation I've got Sam Segura Gatien and access management on their segregation for me is the most crucial thing you can do to help mitigate the risk around the insider threat particularly non malicious insider I often hear organizations saying you know oh it only takes one user to click a link and then the whole network is destroyed if that is the case then that organization has a much bigger problem and somebody clicking on malicious links there is no way you should have such a flat network that an individual clicking on a malicious link in a spear phishing email should bring the whole network down and this is where just basic segregation comes in and we then have things like data loss prevention tools so ways of limiting what individuals can upload what they can share and also what they can see into in terms of sensitive data and of course security information and event management Sims so having in place really active monitoring logging and auditing of what people are doing to get what I referred to in the cybus TV interview of what normal looks like because once you know what normal looks like then abnormal stands out so much more I want to thank you so much for your time and for your attention this morning we have a little bit of time for questions if there are any I would be delighted to hear from you and I think there's a couple of mics if we could have a mic down for this gentleman here please and if you could please say your name and where you're from we'd really appreciate that before your question thank you hi thanks Randall Mickelson with Thomson Reuters I'm aware that some institutions are using like algorithmic to monitor employee behavior and so forth and and sort of pull together dots from this department in that department and try to develop a more data-driven employee profile we didn't hear a lot of that here but is that part of it is that an effective part of the toolkit is that something that companies need to invest in or are there you know softer approaches so I think that that kind of algorithm that kind of building up a picture of behaviors and of activity on the network can be really effective and helpful as a supporting tool but what I sometimes find with organizations is they want to run before they can walk and I would say get the basics in place before you do something like that that kind of monitoring that you're talking about is helpful in supporting you but also there's a danger that it can make organizations complacent and I find this with all sorts of technical tools is the leadership will think or even the IT team will think we've got this in place so that's fine that box is ticked but there is nothing like a manager knowing the people that they're working for them because seeing whether an individual never wants to take holiday or seeing whether an individual has gone from being engaged with their team to disengaged all from disengaged to engaged seeing whether an individual is stressed seems to have problems at home these are the kind of things that that sort of tool won't tell you about but that could be precipitous for some kind of insider activity thank you name is Stefan brave and Deutsche Bank my question is in terms of the effective training what can companies do in order to really make the training much more effective or what are the most errors you've seen from your experience so the biggest area that I see is organisations that roll out online training that people can just click through that hasn't been designed in a way to stop people brute-forcing it so if you have online training that people can just click through and put their answers in and the answers are all wrong oh well they go through again they take all A's this instead of all bees or whatever it might be and they just find a way of getting through it to get back to their job that's about the worst and that's very common and that training everybody will know that it doesn't work and sometimes what I see is organizations saying well people are always going to be stupid they're always going to make mistakes so we have this training but training doesn't work but we take the box of compliance and it's done and that for me is the worst attitude you can take the most effective training and it's difficult obviously when an organization gets to a certain size it's difficult to do face to face training for everybody but we know from decades of research into psychology and to how people learn face to face training is much more effective than anything that's kind of online and if you can show people why it matters that for me is when I see true behavioral change so not just giving people a list of things that they shouldn't do everybody knows that they shouldn't click on links and suspicious emails but they don't really know why everybody knows that they should have a good password for all of their accounts but that seems quite challenging and they don't really get why so the kind of good training that I propose is training that really demystify cyber security so if you can do for example spearfishing demo as I said earlier showing the victim and the attacker side and what happens when you click a link in a malicious email everything that the attacker can do from that point that really opens up people's eyes and they realize actually this is real this isn't just somebody from IT telling me about this they get actually how the threat really manifests itself we have a question at the back and then one at the front so one morning my name is Mike Sauer from Mora Bank first of all congratulations for your speech thank you very much thank you as we all know in the technology business many times measures like asset protection segmentation of the information etc our projects that take quite long then have to involve the entire organization and these are quite long projects so for these kind of measures besides obviously training and installation of the apiece do you see any any quick wins or any from your experience are there any quick wins or any shortcuts one one thing that I found really effective if we're thinking about emails if we're thinking about spear phishing emails one thing that's really effective in organisations I've worked with is putting in that button to click to say I suspect that this is a phishing email or having a dedicated email address that people can send suspect emails on to because what people don't like is to receive an email to not be sure about it and to have nothing that they can do with it and that's when they're more likely to be like oh well I'll just click it and see what happens whereas if they come report it if they can flag it and if you can roll something like that out quite quickly then you will see a dramatic reduction in people clicking on the links so that's one quick win that I might recommend Thanks we had another question here and yeah Jessica Ramos from Swift my question was like when this is beyond the malicious insider it's it's more for the people who make mistakes do you think the company should should apply severe measures to those people to signal you know that this behavior is not acceptable to the other people in the company how would you suggest we handle that I'm really grateful for that question because I realize it's something I didn't have chance to really cover from my point of view if somebody carries out something maliciously or if they are continually making the same mistake and not learning then you might look to sanctions but other than that I would say look to reward positive behavior rather than punish negative behavior so for example one thing you can do if you do the kind of phishing exercise that a lot of organizations run out most organizations when they do those phishing exercise they will highlight the 10 20 30 50 percent of people who clicked the link and they will put them for more training or they will name and shame them or they will point the finger in some way of X amount of people clicked on a link and they never focus on the positive whereas if you focus on 50 70 80 90 percent of people didn't click on a link in that phishing campaign and that's fantastic then you are driving more positive behaviors so one bank that I've worked with in the UK they actually did a phishing exercise and when it was over and they had the results in they went around everybody's desk and for everybody that didn't click on the link they left some chocolates on the table so the next morning people come in and there's an chocalate sand a note and everybody loves chocolates and a note saying well done we ran a fishing exercise and you didn't click on the link and so what they did in that was so genius because they highlighted good behavior and so people felt rewarded for good security which almost never happens and the people that clicked the link they weren't shamed they weren't punished but they just noticed Oh on my bank of desks everyone else got chocolates and I didn't so you know they kept a little bit quiet they didn't say anything about it but they took notes so it was a very subtle way of highlighting good behavior and also showing people where they had behaved poorly if we're constantly the department that punishes people then we drive those kind of incidents underground and what we have is people clicking on links losing laptops losing paper whatever it might be and they're so scared of being punished that they stay quiet and then as you all know you know the longer an incident goes on the more damaging it is whereas if you create a no blame culture then people are more likely to put their hand up and say I lost my USB stick or whatever it might be we had a question at the front as well oh and one at the back you next sure it's actually probably a continuation of what you were just explaining so Dianne Noland from Accenture financial services and so nobody are no companies like to talk about insider threats openly mm-hm I think you started to transfer that question but how can organizations talk about this insider threat without seeming like those suspicious of their employees it's a really difficult one and I've worked with lots of organizations that have that challenge and the best way to frame it is really we're talking about this to better defend everybody and it's not that we're suspicious of people but it's just that we know this happens we know it happens in other organizations and so let's all sort of focus on this issue to try and better defend our organization so kind of pitching it away where people feel they're part of the community and they're doing something to defend themselves and their organizations are kind of pitching it as a positive thing for morale and it's also talking about it in terms of the insider threat overall so you can talk about kind of malicious and non malicious and coerced activity all in one go and you can talk about it as part of wider training and so that you're not necessarily seeing signal singling it out but you still cover it as part of your training and your overall comes my name is Eve bullet from Europe here I was wondering what is your experience with behavior monitoring tools versus privacy knows yes this is quite challenging both in terms of monitoring tools and just in terms of what organizations do to to vet their employees so it's something that you need to be very careful of when you do any kind of monitoring or when you are vetting people either coming into the organization or not one thing we've seen in the last couple of years is cases around organizations looking at individuals social media and there is Ben advice from law enforcement and from lawyers the organization shouldn't look two deeply individuals Twitter and Facebook and other social media accounts because that's seen as a breach of privacy obviously it depends on the country that you're in and it also depends on the state of legislation at that time because our rules around this kind of thing are changing quite a lot so I would say anything you're going to do around monitoring or around vetting absolutely refer to your data protection officer to see what the state of play is in your country at that time and I think on that we are out of time I'm around for the rest of the conference so if anybody has any further questions or comments or wants to have a conversation I'd be light it'd be delighted to do so but otherwise thank you so much again for your time and for the excellent questions [Applause]

Info

Channel: SibosTV

Views: 780

Rating: 5 out of 5

Keywords: Sibos, Technology, Sibos Conference, CyberSecurity

Id: 0YiXtSZeqEA

Channel Id: undefined

Length: 57min 49sec (3469 seconds)

Published: Tue Nov 07 2017